[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN102572830A - Method and customer premise equipment (CPE) for terminal access authentication - Google Patents

Method and customer premise equipment (CPE) for terminal access authentication Download PDF

Info

Publication number
CN102572830A
CN102572830A CN2012100181205A CN201210018120A CN102572830A CN 102572830 A CN102572830 A CN 102572830A CN 2012100181205 A CN2012100181205 A CN 2012100181205A CN 201210018120 A CN201210018120 A CN 201210018120A CN 102572830 A CN102572830 A CN 102572830A
Authority
CN
China
Prior art keywords
cpe
terminal
message
tunnel
wlan network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2012100181205A
Other languages
Chinese (zh)
Other versions
CN102572830B (en
Inventor
黄保庆
孔涛
朱莉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201210018120.5A priority Critical patent/CN102572830B/en
Priority to PCT/CN2012/075783 priority patent/WO2013107136A1/en
Priority to RU2013106254/08A priority patent/RU2556468C2/en
Publication of CN102572830A publication Critical patent/CN102572830A/en
Application granted granted Critical
Publication of CN102572830B publication Critical patent/CN102572830B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention provides a method and customer premise equipment (CPE) for terminal access authentication. The method comprises the following steps: CPE sends a discovery request to all ACs (Access Controller) according to IP (Internet Protocol) addresses of all ACs in a server of a WLAN (Wireless Local Area Network); if receiving a discovery response which is returned by any AC in all the ACs and corresponds to the discovery request, the CPE establishes CAPWAP (Control And Provisioning of Wireless Access Points) tunnel with any AC; and the CPE accesses terminals connected with the CPE into the WLAN by the CAPWAP tunnel, and enables the server of the WLAN to authenticate the terminals accessed into the WLAN by the CAPWAP tunnel. The method solves the problem that terminals accessed into a WiFi (Wireless Fidelity) or an Ethernet interface are authenticated separately in the WLAN relying on an LTE-EPC (Long Term Evolution-Easy Processing Channel) network.

Description

The method of terminal access authentication and ustomer premises access equipment
Technical field
The embodiment of the invention relates to the communication technology, relates in particular to a kind of method and ustomer premises access equipment of terminal access authentication.
Background technology
In communication system, ustomer premises access equipment (Customer Premise Equipment is called for short CPE) comprises home gateway, access point (Access Point is called for short AP), modulator-demodulator (modem), router, data card etc.Along with the development of family's broadband services, the application of CPE in home network more and more widely.
Current WLAN (Wireless Local Area Network is called for short the WLAN net) need rely on the resource of Long-Term Evolution packet-based core networks (Long Term Evolution-Evolved Packet Core is called for short the LTE-EPC net) and lay.For this reason, the LTE-EPC net can be directly inserted at existing terminal, still, need pass through the LTE-EPC net when inserting wlan network at the terminal, i.e. interactive information between LTE-EPC network transparent transmission terminal and the wlan network.
Yet built-in WiFi AP of LTE CPE of the prior art and Ethernet interface support that smart mobile phone and PC (Personal Computer is called for short PC) insert through the WiFi mode or PC inserts above-mentioned LTE-EPC net through the Ethernet interface mode.According to the 3GPP standard; The LTE-EPC network can only perception LTE CPE; With LTE CPE is that unit charges, and can not perception be linked into the WiFi terminal of LTECPE, thereby can not satisfy independent authentication is carried out at the WiFi terminal; And then the wlan network that inserts the LTE-EPC net also can't carry out independent authentication, charging or service quality (Quality of Service is called for short QoS) management to the WiFi terminal.
Summary of the invention
The embodiment of the invention provides a kind of method and ustomer premises access equipment of terminal access authentication, in order to solve the problem that the wlan network that relies on the LTE-EPC network in the prior art can't carry out independent authentication to the terminal that connects CPE.
The present invention provides a kind of method of terminal access authentication, comprising:
Ustomer premises access equipment CPE sends the request of discovery according to Internet protocol (Internet Protocol the is called for short IP) address of each access controller AC in the server of WLAN wlan network to said each AC;
If said CPE receives the discovery response corresponding with said discovery request that arbitrary AC returns among said each AC; Then said CPE and said arbitrary AC set up the control and configuration (Control and Provisioning of Wireless Access Points the is called for short CAPWAP) tunnel of WAP;
Said CPE inserts said wlan network through the terminal that said CAPWAP tunnel will connect said CPE, and makes the server of said wlan network carry out authentication through said CAPWAP tunnel to the terminal of inserting said wlan network.
The present invention provides a kind of ustomer premises access equipment, comprising:
Transmitting element is used for the IP address according to each access controller AC of the server of WLAN wlan network, sends the request of discovery to said each AC;
Receiving element is used for receiving the discovery response corresponding with said discovery request that the arbitrary AC of said each AC returns;
Set up the unit, be used for after said receiving element receives the discovery response corresponding with said discovery request that the arbitrary AC of said each AC returns, set up the control and the configuration CAPWAP tunnel of WAP with said arbitrary AC;
Access unit, said wlan network is inserted at the terminal that is used for will connecting through said CAPWAP tunnel ustomer premises access equipment, and makes the server of said wlan network carry out authentication through said CAPWAP tunnel to the terminal of inserting said wlan network.
Can know by technique scheme; The method of the terminal access authentication of the embodiment of the invention and ustomer premises access equipment; The CAPWAP tunnel that CPE sets up based on the AC in the server of CAPWAP agreement and wlan network; This CAPWAP tunnel can make the terminal that connects CPE insert wlan network; And then make the server in the wlan network carry out authentication to the terminal of inserting wlan network by CAPWAP tunnel, solved the problem that the wlan network that inserts the LTE-EPC network in the prior art can't carry out independent authentication to the terminal that connects CPE.
Description of drawings
In order to be illustrated more clearly in technical scheme of the present invention; To do one to the accompanying drawing of required use among the embodiment below introduces simply; Obviously: figs is the accompanying drawing of some embodiments of the present invention; For those of ordinary skills, under the prerequisite of not paying creative work property, can also obtain to realize equally other accompanying drawing of technical scheme of the present invention according to these accompanying drawings.
Fig. 1 is the scene graph that terminal provided by the invention connects wlan network;
The terminal that Fig. 2 provides for one embodiment of the invention connects the scene graph of wlan network;
The schematic flow sheet of the method for the terminal access authentication that Fig. 3 provides for one embodiment of the invention;
The schematic flow sheet of the method for the terminal access authentication that Fig. 4 provides for another embodiment of the present invention;
The schematic flow sheet of the method for the terminal access authentication that Fig. 5 provides for another embodiment of the present invention;
The schematic flow sheet of the method for the terminal access authentication that Fig. 6 provides for another embodiment of the present invention;
The schematic flow sheet of the method for the terminal access authentication that Fig. 7 provides for another embodiment of the present invention;
The schematic flow sheet of the method for the terminal access authentication that Fig. 8 provides for another embodiment of the present invention;
The structural representation of the ustomer premises access equipment that Fig. 9 provides for another embodiment of the present invention;
The structural representation of the ustomer premises access equipment that Figure 10 provides for another embodiment of the present invention.
Embodiment
For making the object of the invention, technical scheme and advantage clearer, will combine the accompanying drawing in the embodiment of the invention below, technical scheme of the present invention is carried out clear, intactly description.Obviously, each following embodiment is the embodiment of the present invention's part.Based on each following embodiment of the present invention; Those of ordinary skills are even without making creative work; Also can be through equivalent transformation part even whole technical characterictics; And obtain to solve technical problem of the present invention, realize other embodiment of technique effect of the present invention, and these conversion and each embodiment of coming does not obviously break away from the disclosed scope of the present invention.
Better understand the technical scheme that the embodiment of the invention provides for making persons skilled in the art; The prior art scheme is done some simple introductions, as shown in Figure 1, in a kind of scheme of prior art; Built-in AP among the LTECPE 11; And this is built-in with on the LTE CPE 11 of AP and also is provided with Ethernet interface, and then various terminal can directly connect LTE CPE 11, for example PC (the Person Computer among the figure; Abbreviation PC) 10 through WiFi mode access network, or PC 10 is through the Ethernet interface access network.
12 on the LTE-EPC network of this moment perceives LTE CPE, can only be that unit charges with LTE CPE, the terminal of can not perception LTE CPE inserting at the back.Therefore the wlan network that relies on the LTE-EPC network can not carry out independent authentication, charging and QoS management to the terminal that connects LTE CPE 11.In view of this, the embodiment of the invention provides a kind of method of terminal access authentication, into the wlan network of LTE-EPC network independent authentication is carried out at the terminal that connects CPE in order to achieve a butt joint.
Fig. 2 shows the scene graph that terminal that one embodiment of the invention provides connects wlan network, and is as shown in Figure 2, can integrated thin AP in the CPE 21 in the embodiment of the invention, also can directly connect fat AP; Wherein terminal 20 can be inserted LTE-EPC network 22 or connect wlan network 23 through the WiFi mode, and perhaps, terminal 20 can be inserted LTE-EPC network 22 or connect wlan network 23 through Ethernet interface.
Especially; Establish CAPWAP tunnel between the server of the wlan network of CPE 21 in the embodiment of the invention and access LTE-EPC network; And then CPE 21 transmits the information that send to the wlan network server at the terminal that connects CPE through CAPWAP tunnel, can be linked in the wlan network so that connect the terminal 20 of CPE, and pass through CAPWAP tunnel; The server of wlan network can carry out authentication to the terminal that connects CPE, charges and the Qos management.
Need to prove that can be built-in with thin AP among the CPE 21 shown in Fig. 2, perhaps CPE is circumscribed with fat AP.
In other application scenarios, the terminal also can directly connect CPE through Ethernet interface.
It is understandable that; Thin AP described in the present embodiment only carries the bridges forward function; And the terminal is inserted, functions such as AP reaches the standard grade, authentication, route, AP management, security protocol, QoS are all carried and accomplished by AC and/or Broadband Remote Access Server (Broadband Remote Access Server is called for short BRAS).
Fat AP then carries 802.11 function fully, promptly can be directly in this fat AP place termination based on the message of 802.11 agreements.It is understandable that each fat AP can independently manage as an independent network entity on the network, comprises functions such as terminal access, authentication, data forwarding, AP management, security protocol, route, QoS.
In one embodiment of this invention, the method for the terminal access authentication in the present embodiment is as mentioned below.
CPE relies on the wlan network of LTE-EPC network through the terminal access that CAPWAP tunnel will connect CPE, and makes the server of wlan network carry out authentication through CAPWAP tunnel to the terminal of inserting wlan network.
For instance, aforesaid CAPWAP tunnel can be the CAPWAP tunnel that CPE sets up with the server of wlan network after accomplishing to LTE-EPC network attachment process.
By on can know; The CAPWAP tunnel that CPE sets up based on the CAPWAP agreement in the method for the terminal access authentication of present embodiment can make the terminal that connects CPE insert wlan network; And then server in the wlan network is achieved a butt joint by CAPWAP tunnel carry out authentication into the terminal of wlan network, solved the problem that wlan network in the prior art can't carry out independent authentication to the terminal that connects CPE.
Fig. 3 shows the schematic flow sheet of the method for the terminal access authentication that one embodiment of the invention provides, and as shown in Figure 3, the method for the terminal access authentication in the present embodiment is as mentioned below.
301, CPE sends the request of discovery according to the IP address of (Access Controller is called for short AC) of each access controller in the server of wlan network to each AC.
Need to prove; There is multiple mode the IP address that obtains AC; For example: domain name system (Domain Name System; Abbreviation DNS) the option option that resolve, DynamicHost is provided with agreement (Dynamic Host Configuration Protocol is called for short DHCP), static configuration IP address, broadcasting etc.
For instance, the obtain manner of IP address list information comprises:
CPE is from LTE-EPC grouping of network data network (Packet Data Network; Be called for short PDN) obtain the IP address of each AC in the server of wlan network in the gateway; Wherein, The network (wlan network be linked into LTE-EPC network, perhaps wlan network rely on LTE_EPC network) of LTE-EPC network for linking to each other with wlan network.Perhaps
CPE obtains the domain-name information of each AC in the server of wlan network from the PDN Gateway of LTE-EPC network; Send the domain name mapping request of the domain-name information that comprises each AC to the DNS of LTE-EPC network according to the domain-name information of each AC; And receiving the IP address list that DNS returns according to the domain name mapping request, IP address list comprises the IP address of each AC.
AC in the present embodiment is a plurality of, correspondingly, also comprises a plurality of IP address in the IP address list, the corresponding AC in each IP address.
302, if CPE receives the discovery response corresponding with the request of finding that arbitrary AC returns among each AC, then CPE and arbitrary AC set up CAPWAP tunnel.
In the present embodiment, set up CAPWAP tunnel with AC in this step 302 and can comprise CAPWAP chain of command channel and CAPWAP data surface channel.When CPE connected a terminal, CPE was directed against the related of this terminal through CAPWAP chain of command channel is mutual with AC so that CPE and AC set up; CAPWAP data surface channel is used to make terminal and wlan network to carry out alternately.
303, CPE inserts wlan network through the terminal that CAPWAP tunnel will connect CPE, and makes the server of wlan network carry out authentication through CAPWAP tunnel to the terminal of inserting wlan network.
Especially; Correspondingly with aforesaid step 302 be; Do not receive the discovery response corresponding that the one or more AC among each AC return at CPE with the request of finding; Then preset time (for example 10s, 5s, 15s etc.) sends the request of discovery to not returning the AC that finds response afterwards again at the interval.
For instance, the interval preset time in the present embodiment can be 2s, 3s, 11s, 20s, 30s etc. at interval.The terminal that connects CPE can be through external fat AP connect CPE PC, connect the terminal of CPE or the WiFi terminal inserted through the WiFi mode etc. through the Ethernet interface on the CPE.
In the use of reality, after aforesaid step 302, and before aforesaid step 303, the method for terminal access authentication also comprises the unshowned step 304 of following Fig. 3.
304, the AP version information of the AC in tunnel based on the CAPWAP tunnel transmission set up in the CPE reception; If the version information of the AP that is provided with among AP version information that CPE receives and the CPE is inconsistent; CPE initiates the request of the version information of renewal AP to AC, so that set up the version that the AC in tunnel upgrades AP.
Store the version information of AP among the CPE in the present embodiment, for example be built-in with thin AP or be circumscribed with fat AP.
For instance, the CAPWAP chain of command channel of the AC that sets up the tunnel at this place through aforementioned foundation needing to determine whether upgrading to the version information that CPE sends the AP of this AC that sets up tunnel expectation by AP built-in among the CPE or external AP.
Certainly; In other embodiments; CPE in step 304 is when receiving aforesaid AP version information; Also be used to receive the AC that sets up the tunnel and send the configuration information corresponding, so that CPE checks version information, the configuration information of the AP of set inside and whether version information, the configuration information of the AP that receives be consistent with the AP version information.
Need to prove, carry the service set configuration information of (Service Set Identifier is called for short SSID) in the configuration information at this place, so that wlan network can carry out better authentication to the terminal of inserting.
Will be appreciated that set up after the CANWAP tunnel about CPE and AC, mutual information such as AP version information, configuration information etc. can be with reference to the relevant regulations in the CAPWAP agreement, present embodiment no longer details.
Can know by the foregoing description; In the method for terminal access authentication through in LTE-EPC network attachment process, obtain the IP address of AC at CPE; And then CPE initiatively initiates to find request to AC; So that set up CAPWAP tunnel between CPE and the AC, make when inserting wlan network at the terminal, can be mutual with the AC that sets up the tunnel through CAPWAP tunnel; And then realized independent authentication is carried out at the terminal that WiFi inserts or Ethernet interface inserts in wlan network function, having solved wlan network in the prior art can't carry out independent authentication, charge and the problem of QoS management separately the terminal that connects CPE.
Below illustrate the obtain manner of the IP address list information in the terminal access authentication method.
In a kind of application scenarios, preset the IP address list of the AC in the server of wlan network among the CPE, IP address list comprises the IP address of each AC.
In another kind of application scenarios, preset the domain-name information of the AC in the server of wlan network among the CPE, then CPE is following according to the mode that domain-name information obtains IP address list:
S01, CPE send the domain name mapping request that comprises domain-name information according to the domain-name information that presets AC to the DNS of LTE-EPC network.
S02, DNS be according to domain name mapping request analysis domain-name information, and return the IP address list that the IP address corresponding with the domain-name information of AC formed.
In one case, the DNS among the aforesaid step S01 can be used as a network element in the LTE-EPC network.In other cases, when disposing LTE-EPC network and wlan network,, also can DNS be existed as independent resolution server according to the deployment requirements of operator.At this moment, CPE sends the domain name mapping request that comprises domain-name information according to the domain-name information of the AC that presets to DNS among the step S01, to obtain the IP address list that the IP address corresponding with the domain-name information of AC formed.
In the third application scenarios, CPE utilizes Extended Protocol configuration item (protocol configuration option is called for short PCO) to obtain the IP address list of AC from PDN Gateway in LTE-EPC network attachment process.
Particularly, CPE sends the request of the IP address obtain all AC to PDN Gateway, and receives the IP address list of the IP address that comprises all AC that PDN Gateway returns according to the request of obtaining the IP address of AC.
That is to say that CPE obtains the IP address list of the IP address composition of AC from the PDN Gateway of LTE-EPC network.
In the 4th kind of application scenarios, the request that CPE sends the domain-name information obtain AC to PDN Gateway, and receive the domain-name information of the AC that PDN Gateway returns according to the request of obtaining the domain-name information of AC.
At this moment, CPE utilizes Extended Protocol configuration item (Protocol Configuration Option is called for short PCO) from PDN Gateway, to obtain the domain-name information of AC in LTE-EPC network attachment process;
CPE sends the domain name mapping request that comprises domain-name information according to the domain-name information of AC to the DNS of LTE-EPC network; And receiving the IP address list that DNS returns according to the domain name mapping request, the IP address in the IP address list is the IP address corresponding with the domain-name information of AC.
In the 5th kind of application scenarios; Obtain the mode one of the IP address list of AC: CPE the time to LTE-EPC network attachment process; The PDN Gateway of LTE-EPC network is the distributing IP address not; After the default bearer of CPE is set up, agreement (Dynamic Host Configuration Protocol is called for short DHCP) flow process is set and obtains the parameters such as IP address, default gateway and DNS of this CPE, and then pass through the IP address list that option43 obtains AC from the PDN Gateway of LTE-EPC network through DynamicHost.
Obtain the mode two of the IP address list information of AC: if the DHCP flow process in the aforementioned manner one is supported option 15 options; And in the message of the IP address response that distributes CPE, carry the option15 option; Then CPE can obtain the IP address of the AC the tabulation from DNS according to the host name tabulation of the AC that carries in option 15 options, and then obtains the IP address list of all AC.
Need to prove, be the normal process that existing DHCP distributes to CPE distributing IP address, default gateway etc. in the aforesaid LTE-EPC network, and option43, option15 can be the information that Dynamic Host Configuration Protocol server carries in the response message that CPE sends.
Fig. 4 shows the schematic flow sheet of the method for the terminal access authentication that another embodiment of the present invention provides, and as shown in Figure 4, the method for the terminal access authentication in the present embodiment is as mentioned below.
401, CPE sends the request of discovery according to the IP address of each AC in the server of wlan network to each AC.
402, if CPE receives the discovery response corresponding with the request of finding that arbitrary AC returns among each AC, then CPE and arbitrary AC set up CAPWAP tunnel.
403, CPE receives DHCP Discovery message (DynamicHost is provided with protocol discovery message); And DHCP Discovery message is sent to the AC that sets up the tunnel with CPE through CAPWAP tunnel; DHCP Discovery message is to be sent by the terminal that connects CPE; Be used for request and insert wlan network, DHCP Discovery message comprises medium control visit (Media Access Control the is called for short MAC) information at terminal.
For instance, CPE adopts the CAPWAP agreement that DHCP Discovery message is encapsulated, and sends to AC through CAPWAP tunnel.
404, with the DHCPDiscovery message corresponding DHCP offer message (DynamicHost be provided with agreement give information) of the AC in tunnel through the CAPWAP tunnel transmission is set up in the CPE reception, carries the IP address corresponding with MAC information of the AC distribution of setting up the tunnel in the DHCPoffer message.
405, CPE to the terminal, so that wlan network is inserted based on the AC IP address allocated of setting up the tunnel in the terminal, and makes the server of wlan network carry out authentication through CAPWAP tunnel to the terminal of inserting wlan network DHCP offer forwards.
In the application of reality, the CPE in step 403 is sent to DHCP Discovery message before the AC that sets up the tunnel through CAPWAP tunnel, and the method for terminal access authentication also comprises unshowned step 406 and step 407 among following Fig. 4.
406, CPE obtains the MAC information at terminal from the DHCP Discovery message that send at the terminal that connects CPE; And send Association message (association messages) to the AC that sets up the tunnel through CAPWAP tunnel, comprise the MAC information at terminal in the Association message.
Particularly, above-mentioned steps is used to explain that CPE receives a new terminal, and initiates the associated steps to new terminal to AC, so that AC adds the information relevant with this terminal.
407, CPE is after the Association response message corresponding with Association message that the AC in tunnel returns through CAPWAP tunnel set up in reception, sets up related to this terminal according to the MAC information at terminal and the AC that sets up the tunnel.
Especially, in practical application, CPE receives after the Association response message that AC sends, and also receives the configuration information of the increase terminal message element that AC sends, so that CPE is configured according to the configuration information at this place.For example; CPE receives AC and sends station configuration Request message (terminal configuration request message), and sends station configuration response message (terminal configuration response message) according to station configuration Request message to AC.
The station configuration Request message at this place, station configuration response message, Association message, Association response message all belong to the content of stipulating in the CAPWAP agreement; Present embodiment is merely and illustrates, and setting up related the mutual information content at CPE and AC can be with reference to the regulation of CAPWAP agreement.
In other embodiments; If CPE receives a plurality of DHCP Discovery message that comprise identical MAC information of the terminal transmission that connects CPE; Then CPE is sent to the AC that sets up the tunnel with any the DHCP Discovery message in a plurality of DHCP Discovery message that comprise identical MAC information through CAPWAP tunnel, and abandons other message in a plurality of DHCP Discovery message.
Preferably; CPE chooses medium access control (the Media Access Control of first DHCP Discovery message in a plurality of DHCP Discovery message that comprise identical MAC information; Abbreviation MAC) aforesaid related flow process is initiated in the address; And other DHCP Discovery message will abandon, and not trigger related flow process.
In addition; If arbitrary port (like 5s, 10s, 15s, 20s, 30s etc.) in pre-configured detection time of CPE receives a plurality of DHCP Discovery message; And the MAC information that each DHCP Discovery message comprises in a plurality of DHCP Discovery message is different, then abandons a plurality of DHCP Discovery message that receive from this port.
For example; The particular port of CPE receives 50 DHCP Discovery message continuously in 10s, perhaps, and when the particular port of CPE receives 30 DHCP Discovery message in 5s; The MAC information that comprises in those DHCP Discovery message is all different; Then CPE can think the person's attacking network that has the network attack, and then this particular port is received DHCP Discovery message abandons in detection time, does not initiate aforesaid related flow process.Above-mentioned CPE suppresses this kind abnormal conditions, to prevent that the terminal is through changing the phenomenon of different MAC information attack networks.The particular port at this place is the arbitrary port of setting among the CPE that is used to connect wlan network, like Ethernet interface, or connects port of fat AP etc.
In the operation scenario of reality, CPE can be from the mode of operation of the port that presets identification insert the network that the terminal of CPE need connect.
Certainly, a kind of situation that also possibly occur is: identical terminal connects wlan network through different CPE, and at this moment, wlan network is described below to the processing mode at terminal.
Receive the Association message that another CPE sends through CAPWAP tunnel at the AC that sets up the tunnel; And the terminal that confirm to connect another CPE according to the MAC information in the Association message and the terminal of connection CPE are when being identical terminal; CPE receives the AC that sets up the tunnel and passes through the station configuration update message (state configuration updating message) that CAPWAP tunnel sends; Carry delete station information element (deletion state information elements) in the station configuration update message, according to the delete station information element deletion information relevant with the terminal.
The method of above-mentioned terminal access authentication can realize relying on the problem that the wlan network of LTE-EPC network carries out independent authentication to the terminal that connects CPE, and then can realize that wlan network is to the terminal that the connects CPE problem with the Qos management of chargeing separately.
Fig. 5 shows the schematic flow sheet that wlan network is broken off at terminal in the method for the terminal access authentication that another embodiment of the present invention provides, and is as shown in Figure 5, and it is as mentioned below that the flow process of wlan network is broken off at the terminal in the present embodiment.
501, break off in being connected of terminal and wlan network after; CPE sends to the AC that sets up the tunnel through CAPWAP tunnel and sends Disassociation message (removing association messages), Disassociation message be used to make the AC that sets up the tunnel remove with CPE between related to this terminal set up.
Usually, the MAC information that comprises the terminal in this Disassociation message.
502, CPE receives AC through the configuration information CAPWAP tunnel transmission and deletion terminal message element Disassociation message corresponding response message and AC transmission, according to the configuration information deletion information relevant with the terminal of deletion terminal message element.
For instance, the configuration information of deletion terminal message element can be CPE and receives the configuration information that carries in the station configuration Request message of AC transmission.
Especially, before step 501, also comprise in the method for terminal access authentication:
If CPE (like 1min, 5min, 10min, 50min) in setting-up time does not receive the message that comprises business datum that send at the terminal that connects CPE, then confirm the disconnection that is connected of terminal and wlan network; Perhaps
The state that CPE views the terminal that particular port connected of CPE is an off-state, then confirm the disconnection that is connected of terminal and wlan network, and then CPE carries out the flow process of above-mentioned terminal disconnection wlan network.
Usually; One be can be provided with among the CPE and the message of business datum or the setting-up time (like 8min, 15min etc.) of business datum flow judged; In setting-up time, all confiscating the message of the business datum of sending at the terminal or detecting the business datum flow is zero; Think that then this terminal rolled off the production line or be in off-state, CPE needs to initiate the related flow process of going to this terminal to AC.
In other embodiments, break off as if terminal active and wlan network, and initiatively initiated the release flow of the DHCP flow process of wlan network, this moment, CPE also need be to the go related flow process of AC initiation to this terminal.
In addition, after the PC shutdown, the direct-connected cpe ethernet port of PC is an off-state, and CPE can perceive port status.The port status that perceives this port as CPE is disconnection, and in one minute, recovers then to initiate the related flow process of going to this PC.
Need to prove that aforesaid CAPWAP tunnel comprises: CAPWAP chain of command channel and CAPWAP data surface channel; CPE is sent to AC with DHCP Discovery message through CAPWAP data surface channel; CPE receives the DHCPoffer message that AC sends through CAPWAP data surface channel.
Aforesaid Association message, Association response message, station configuration Request message, station configuration response message etc. are all sent through CAPWAP chain of command channel.It is understandable that CPE sets up related interactive information through CAPWAP chain of command Channel Transmission with AC; Terminal and the mutual information of wlan network in that CPE and AC set up after related are transmitted through CAPWAP data surface channel.
Can know by the foregoing description, when wlan network is inserted at the aforementioned terminal that is connected on the CPE, can make AC fine-grained management and the corresponding terminal of operation, as carrying out independent authentication, charging and QoS management the terminal; In addition, above-mentioned CPE can reduce additional investment cost of operators; Further, utilize the LTE-EPC network to do the i.e. passback of Backhaul transmission, help fixed network under-developed area operator and commence business and reduce cost of investment, and lower to the dependence at terminal.
The schematic flow sheet of the method for the terminal access authentication that Fig. 6 provides for one embodiment of the invention, as shown in Figure 6, the method for the terminal access authentication of present embodiment is as mentioned below.
CPE in the present embodiment is integrated with the CAPWAP protocol stack, and this CPE is connected with the common AP of family.Usually, the common AP of family is fat AP, and 802.11 blank-interface texts are at fat AP side 802.11 messages that will terminate.
For example, the RJ45 port of CPE is for connecting the port of the common AP of family, and this moment, the WiFi terminal connected CPE through the common AP of family.
601, after CPE and AC set up CAPWAP tunnel; CPE receives the WiFi terminal and comprises DHCP Discovery message through what AP sent; This DHCP Discovery message comprises the MAC information at WiFi terminal, and it is used to explain that a new WiFi terminal inserts wlan network in advance.
602, CPE obtains the MAC information at WiFi terminal from DHCP Discovery message; The MAC information at WiFi terminal is encapsulated; And the chain of command channel through CAPWAP tunnel sends Association message to the AC that sets up the tunnel; The MAC information that comprises the WiFi terminal of encapsulation in this Association message, it is used to inform that AC has new WiFi terminal to insert, and CPE and the AC that sets up the tunnel is set up be directed against the related of this WiFi terminal.
603, CPE receives after the Association response message corresponding with Association message that the AC set up the tunnel chain of command channel through CAPWAP tunnel returns, and is directed against the related of this new WiFi terminal according to the MAC information at WiFi terminal with the AC foundation of setting up the tunnel.
604, CPE and AC set up related after, CPE is sent to AC with the DHCP Discovery message of the MAC information at the aforesaid WiFi of the comprising terminal data surface channel through CAPWAP tunnel.
605, CPE receives with the DHCP Discovery message corresponding DHCP offer message of AC through the data surface channel transmission of CAPWAP tunnel, carries the IP address corresponding with MAC information of the AC distribution of setting up the tunnel in the DHCP offer message.
606, CPE to the terminal, so that wlan network is inserted based on the AC IP address allocated of setting up the tunnel in the terminal, and then realizes the authentication of the server of wlan network to the WiFi terminal with DHCP offer forwards.
Can know by the foregoing description; In the method for terminal access authentication through between CPE and AC, setting up CAPWAP tunnel; CPE can make the terminal of inserting CPE insert wlan network through CAPWAP tunnel; It makes the server of wlan network carry out authentication through CAPWAP tunnel to the terminal, has solved the problem that wlan network in the prior art can't carry out independent authentication to the terminal that connects CPE.
According to a further aspect in the invention; The present invention also provides a kind of method of terminal access authentication, and this method comprises: the authentication of this terminal in the wlan network that relies on the LTE-EPC network realized through the CAPWAP tunnel of setting up between CPE and the AC in the terminal that connects CPE.
For instance, the schematic flow sheet of the method for the terminal access authentication that Fig. 7 provides for one embodiment of the invention, as shown in Figure 7, the method for the terminal access authentication of present embodiment is as mentioned below.
The authentication of enumerating in the present embodiment is the WEB authentication, and the WEB authentication is the authentication mode at present modal WiFi terminal, adopts Username/Password to carry out authentication.
Connect WiFi terminal shown in Figure 6 and accomplish after the access wlan network, Fig. 7 illustrates the WEB verification process to the WiFi terminal.
Following AC, Broadband Remote Access Server (Broadband Remote Access Server; Abbreviation BRAS), Portal Server, checking, authorization and accounting server (Authentication, Authorization, Accounting are called for short aaa server) are the server in the wlan network.
701, after wlan network is inserted at the WiFi terminal, the HTTP message that is used for access authentication is sent at the WiFi terminal to CPE.
702, CPE receives after the HTTP message that sends at the WiFi terminal, encapsulate the HTTP message again according to the CAPWAP agreement, and the HTTP message that will encapsulate again is sent to AC through CAPWAP data surface channel.
703, AC receives after the HTTP message of CPE transmission, the HTTP message that encapsulates is carried out decapsulation, and the HTTP message of decapsulation is transmitted to BRAS, and BRAS is redirected the HTTP message to Portal Server (portal server).
704, Portal Server receives after the HTTP message, pushes the WEB authentication interface through CAPWAP data surface channel to CPE.
705, CPE receives after the WEB authentication interface of Portal Server transmission, and the WEB authentication interface is forwarded to the WiFi terminal, so that the WiFi end side presents the WEB authentication interface, and then receives Username and the Password that the user imports.
706, CPE receives information such as the user name of sending at the WiFi terminal, password, and sends it to Portal Server through CAPWAP data surface channel.
Particularly, CPE sends to Portal Server through CAPWAP data surface channel with information such as the user name that encapsulates, passwords.
707, Portal Server is after receiving information such as user name, password, and decapsulation is also submitted authentication request to BRAS.
708, BRAS receives after the authentication request of Portal Server transmission, initiates Access Request authentication message according to authentication request to aaa server.
709, aaa server receives after the Access Request authentication message, and information such as the user name at WiFi terminal, password are carried out authentication; If the authentication of aaa server is passed through, then send Access accept message to BRAS;
Otherwise, return miscue information.
710, BRAS receives the Access accept message that aaa server sends, and returns and Access accept message corresponding response message to aaa server; And the response message that passes through to Portal Server return authentication according to Access accept message.
711, after Portal Server receives the response message that authentication passes through, send the interface of authentication success to CPE through CAPWAP data surface channel; CPE is forwarded to the WiFi terminal with the interface of this authentication success, so that the heartbeat handshake information is triggered at the WiFi terminal, and then the WiFi terminal carries out the regular traffic of wlan network, and wlan network starts the charging to the WiFi terminal simultaneously.
The schematic flow sheet of the method for the terminal access authentication that Fig. 8 provides for one embodiment of the invention, as shown in Figure 8, the method for the terminal access authentication of present embodiment is as mentioned below.
Connect WiFi terminal shown in Figure 7 and accomplish after the WEB authentication, Fig. 8 illustrates the charging flow to the WiFi terminal.
801, the WiFi terminal is after the WEB authentication of accomplishing wlan network, and BRAS initiates the Account Request Start message (the request beginning message of chargeing) to this WiFi terminal to aaa server, and the prompting aaa server begins the charging at this WiFi terminal.
802, aaa server returns the beginning response message that charges to BRAS.
803, the professional uplink traffic of WiFi terminal access wlan network is sent to BRAS by CPE through CAPWAP data surface channel;
The downlink traffic that BRAS sends is sent to CPE through CAPWAP data surface channel, so that by CPE downlink traffic is transmitted to the WiFi terminal.
804, the BRAS supervisory user is used network condition, sends Account Request interim message (the request intermediary message of chargeing) to aaa server in real time.
805, aaa server upgrades cdr logging according to charging policy, returns Account Response interim response message, and it is normal to confirm to charge; Produce the partial CDR condition if satisfy, AAA produces interim UDR, and AAA offers the CBS system with ticket, accomplishes customer charge by the CBS system and adjusts.
Aforesaid CDR cooperates generation by BRAS+AAA+CBS, is exported the bill at WiFi terminal by the charge system of operator.
806, after initiatively rolling off the production line or insert side (being the wlan network side) and detect that the WiFi terminal is overtime and roll off the production line in the WiFi terminal, initiate Account Request Stop message (charging stops request message) to AAA.
807, AAA closes the CDR file, returns Account Response Stop message (charging stops response message).
To sum up; CPE carries out the business (professional like Internet) of wlan network access authentication and charging by each terminal of inserting in the IP aspect; Adopt the CAPWAP tunnel encapsulation by CPE, be routed to AC/BRAS by EPC and carry out the WEB authentication, insert Internet and business domains; Carry out the authentication and the charging of IP layer by AAA Server, and realize corresponding QoS management.
According to a further aspect in the invention, the present invention also provides a kind of ustomer premises access equipment, and is as shown in Figure 9, and this ustomer premises access equipment comprises transmitting element 91, receiving element 92, sets up unit 93 and access unit 94; Wherein, transmitting element 91 is used for the IP address according to each AC of the server of wlan network, sends the request of discovery to each AC; Receiving element 92 is used for receiving the discovery response corresponding with the request of finding that the arbitrary AC of each AC returns; Set up unit 93 and be used for receiving after the discovery corresponding with finding request that the arbitrary AC of each AC returns respond, set up CAPWAP tunnel with arbitrary AC at receiving element 92; Access unit 94 is used for will connecting through CAPWAP tunnel the terminal access wlan network of ustomer premises access equipment, and makes the server of wlan network carry out authentication through CAPWAP tunnel to the terminal of inserting wlan network.
By last, the ustomer premises access equipment in the present embodiment can realize relying on the problem that the wlan network of LTE-EPC network carries out independent authentication to the terminal that connects CPE.
In practical application; Aforesaid transmitting element 91 also is used for not receiving the discovery corresponding with finding request that the one or more AC of each AC return when responding at receiving element 92; After the preset time, send the request of discovery to not returning the AC that finds response again at interval.
Under a kind of scene; Aforesaid ustomer premises access equipment also need comprise: address acquisition unit; This address acquisition unit is used for from LTE-EPC grouping of network data network (Packet Data Network, be called for short PDN) gateway, obtaining the IP address of each AC in the server of wlan network, wherein; The LTE-EPC network is for linking to each other (wlan network is linked into the LTE-EPC network, and perhaps wlan network relies on the LTE_EPC network) with wlan network; Perhaps
This address acquisition unit is used for the domain-name information of each AC from the server of the PDN Gateway acquisition wlan network of LTE-EPC network; Send the domain name mapping request of the domain-name information that comprises each AC to the DNS of LTE-EPC network according to the domain-name information of each AC; And receiving the IP address list that DNS returns according to the domain name mapping request, the IP address list at this place comprises the IP address of each AC.
Certainly, in other embodiment, aforesaid IP address list also can be preset among the CPE in advance.
Usually, be built-in with thin AP among the CPE or be circumscribed with fat AP, and then store the version information of AP among the CPE.At this moment, after CPE and AC set up the tunnel, receiving element 92 also was used to receive the AP version information that the AC that sets up the tunnel sends based on CAPWAP tunnel;
Correspondingly, when the version information of the AP that AP version information that transmitting element 91 also is used for receiving at receiving element 92 and ustomer premises access equipment are provided with is inconsistent, initiate to upgrade the request of the version information of AP to AC, so that set up the version that the AC in tunnel upgrades AP.
In actual use, shown in figure 10, aforesaid access unit 94 specifically comprises: Dispatch Unit 941, message sink unit 942 and message sending unit 943; Wherein, Dispatch Unit 941 is used to receive DHCP Discovery message; And DHCP Discovery message is sent to the AC that sets up the tunnel through CAPWAP tunnel; This DHCP Discovery message is to be sent by the terminal that connects ustomer premises access equipment, is used for request and inserts wlan network, and DHCP Discovery message comprises the MAC information at terminal;
Message sink unit 942 is used to receive the AC that sets up the tunnel and passes through the DHCP offer message corresponding with DHCP Discovery message that CAPWAP tunnel sends, and carries the IP address corresponding with MAC information of the AC distribution of setting up the tunnel in the DHCP offer message;
Message sending unit 943 is used for DHCP offer forwards to the terminal, so that wlan network is inserted based on the AC IP address allocated of setting up the tunnel in the terminal.
Further, access unit 94 also comprises: association messages transmitting element 944 and associative cell 945; Wherein, Association messages transmitting element 944 is used for obtaining from the DHCPDiscovery message that send at the terminal that connects ustomer premises access equipment the MAC information at terminal; And send related Association message to the AC that sets up the tunnel through CAPWAP tunnel, comprise the MAC information at terminal in the Association message;
Associative cell 945 is used for after the Association response message corresponding with Association message that the AC in tunnel returns through CAPWAP tunnel set up in reception, sets up related to the terminal according to the MAC information at terminal and the AC that sets up the tunnel.
Especially; Aforesaid Dispatch Unit 941 also is used for when a plurality of DHCP Discovery message that comprises identical MAC information that receives that the terminal that connects ustomer premises access equipment sends; Any DHCP Discovery in a plurality of DHCPDiscovery message (for example first DHCP Discovery) message is sent to the AC that sets up the tunnel through CAPWAP tunnel, and abandons other message in a plurality of DHCP Discovery message.
In addition; Arbitrary port that Dispatch Unit 941 also is used to detect ustomer premises access equipment receives a plurality of DHCP Discovery message in pre-configured detection time; And the MAC information that each DHCP Discovery message comprises in a plurality of DHCP Discovery message is different, then abandons a plurality of DHCPDiscovery message.
Certainly; Aforesaid Dispatch Unit 941 also is used for receiving the Association message that another ustomer premises access equipment sends through CAPWAP tunnel at the AC that sets up the tunnel; And the terminal that confirm to connect another ustomer premises access equipment according to the MAC information in the Association message and the terminal of connection ustomer premises access equipment are when being identical terminal; The station configuration update message of the AC in tunnel through said CAPWAP tunnel transmission is set up in reception; Carry delete station information element in the station configuration update message, according to the delete station information element deletion information relevant with the terminal.
In the operation of reality; Ustomer premises access equipment also comprises: the related unit (not shown) of removing; This association is removed unit and is used for being connected after the disconnection at terminal and wlan network; Send Disassociation message through CAPWAP tunnel to the AC that sets up the tunnel, Disassociation message be used to make the AC that sets up the tunnel remove with CPE between related to the terminal set up;
Further; The related unit of removing is used to receive AC through the configuration information CAPWAP tunnel transmission and deletion terminal message element Disassociation message corresponding response message and AC transmission, according to the configuration information deletion information relevant with the terminal of deletion terminal message element.
Certainly, above-mentioned association is removed the unit and is used for also in setting-up time, not receiving that the terminal that connects ustomer premises access equipment sends when comprising the message of business datum, confirms the disconnection that is connected of terminal and said wlan network; Perhaps, the state that views the terminal that particular port connected of ustomer premises access equipment is an off-state, then confirms the disconnection that is connected of terminal and said wlan network.
Can know by the foregoing description; The ustomer premises access equipment of present embodiment; Through transmitting element, receiving element with set up the CAPWAP tunnel that the unit makes CPE set up based on the AC in the server of CAPWAP agreement and wlan network; And then; Make the terminal that connects CPE insert wlan network through access unit, and then server in the wlan network that relies on the LTE-EPC network is achieved a butt joint by CAPWAP tunnel carry out authentication, solved the problem that wlan network in the prior art can't carry out independent authentication to the terminal that connects CPE into the terminal of wlan network through CAPWAP tunnel.
In several embodiment that the application provided, should be understood that, the system that is disclosed, apparatus and method can realize through other mode.For example, device embodiment described above only is schematic.
Said unit as separating component explanation can or can not be physically to separate also, and the parts that show as the unit can be or can not be physical locations also, promptly can be positioned at a place, perhaps also can be distributed on a plurality of NEs.Can realize the purpose of present embodiment scheme according to the needs selection some or all of unit wherein of reality.
In addition, each functional unit in each embodiment of the present invention can be integrated in the processing unit, also can be that the independent physics in each unit exists, and also can be integrated in the unit two or more unit.Above-mentioned integrated unit both can adopt the form of hardware to realize, also can adopt the form of SFU software functional unit to realize.
If said integrated unit is realized with the form of SFU software functional unit and during as independently production marketing or use, can be stored in the computer read/write memory medium.Based on such understanding; Part or all or part of of this technical scheme that technical scheme of the present invention contributes to prior art in essence in other words can come out with the embodied of software product; This computer software product is stored in the storage medium; Comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out all or part of step of the said method of each embodiment of the present invention.And aforesaid storage medium comprises: various media that can be program code stored such as USB flash disk, portable hard drive, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disc or CD.
What should explain at last is: above embodiment is only in order to explaining technical scheme of the present invention, but not to its restriction; Although with reference to previous embodiment the present invention has been carried out detailed explanation, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these are revised or replacement, do not make the spirit and the scope of the essence disengaging various embodiments of the present invention technical scheme of relevant art scheme.

Claims (18)

1. the method for a terminal access authentication is characterized in that, comprising:
Ustomer premises access equipment CPE sends the request of discovery according to the IP address of each access controller AC in the server of WLAN wlan network to said each AC;
If said CPE receives the discovery response corresponding with said discovery request that arbitrary AC returns among said each AC, then said CPE and said arbitrary AC set up the control and the configuration CAPWAP tunnel of WAP;
Said CPE inserts said wlan network through the terminal that said CAPWAP tunnel will connect said CPE, and makes the server of said wlan network carry out authentication through said CAPWAP tunnel to the terminal of inserting said wlan network.
2. method according to claim 1; It is characterized in that; Also comprise: if said CPE does not receive the discovery response corresponding with said discovery request that one or more AC return among said each AC; Then after the preset time of interval, send the request of discovery to the said AC that finds response that do not return again.
3. method according to claim 1 is characterized in that, in the IP address of said CPE according to each AC in the server of wlan network, before said each AC sends the request of discovery, also comprises:
Said CPE obtains the IP address of each AC in the server of wlan network from Long-Term Evolution packet-based core networks LTE-EPC grouping of network data network PDN Gateway, said LTE-EPC network is the network that links to each other with said wlan network; Perhaps
Said CPE obtains the domain-name information of each AC in the server of wlan network from the PDN Gateway of LTE-EPC network; Send the domain name mapping request of the domain-name information that comprises said each AC to the domain name system DNS of said LTE-EPC network according to the domain-name information of said each AC; And receiving the IP address list that said DNS returns according to the domain name analysis request, said IP address list comprises the IP address of said each AC.
4. according to the arbitrary described method of claim 1 to 3; It is characterized in that; After said CPE and said arbitrary AC set up CAPWAP tunnel, and before said wlan network is inserted at said CPE will connect said CPE through said CAPWAP tunnel terminal, also comprise:
Said CPE receives the wireless access point AP version information that the said AC that sets up the tunnel sends based on said CAPWAP tunnel;
If the version information of the AP that is provided with among AP version information that said CPE receives and the said CPE is inconsistent, said CPE initiates the request of the version information of the said AP of renewal to said AC, so that the said AC that sets up the tunnel upgrades the version of said AP.
5. method according to claim 1 is characterized in that, said CPE inserts said wlan network through the terminal that said CAPWAP tunnel will connect said CPE, specifically comprises:
Said CPE receives DynamicHost protocol discovery DHCP Discovery message is set; And said DHCP Discovery message is sent to the said AC that sets up the tunnel through said CAPWAP tunnel; Said DHCP Discovery message is to be sent by the terminal that connects said CPE; Be used for request and insert said wlan network, said DHCP Discovery message comprises the medium access control MAC information at said terminal; Said CPE receives the said AC that sets up the tunnel through the DHCP offer message corresponding with said DHCP Discovery message that said CAPWAP tunnel sends, and carries the IP address corresponding with said MAC information that the said AC that sets up the tunnel distributes in the said DHCP offer message;
Said CPE is with said DHCP offer forwards to said terminal, so that said wlan network is inserted based on the said AC IP address allocated of setting up the tunnel in said terminal.
6. method according to claim 5 is characterized in that, said CPE is sent to said DHCPDiscovery message the said AC that sets up the tunnel through said CAPWAP tunnel before, also comprises:
Said CPE obtains the MAC information at said terminal from the DHCP Discovery message that send at the terminal that connects said CPE; And send related Association message to the said AC that sets up the tunnel through said CAPWAP tunnel, comprise the MAC information at said terminal in the said Association message;
Said CPE is directed against the related of said terminal according to the MAC information at said terminal with said AC foundation of setting up the tunnel after receiving the Association response message corresponding with said Association message that the said AC that sets up the tunnel returns through said CAPWAP tunnel.
7. according to claim 5 or 6 described methods, it is characterized in that, also comprise:
If said CPE receives a plurality of DHCP Discovery message that comprise identical MAC information of the terminal transmission that connects said CPE; Then said CPE is sent to the said AC that sets up the tunnel with any the DHCP Discovery message in said a plurality of DHCP Discovery message through said CAPWAP tunnel, and abandons other message in said a plurality of DHCP Discovery message.
8. according to claim 5 or 6 described methods, it is characterized in that, also comprise:
If arbitrary port of said CPE receives a plurality of DHCP Discovery message in pre-configured detection time; And the MAC information that each DHCP Discovery message comprises in said a plurality of DHCP Discovery message is different, then abandons said a plurality of DHCP Discovery message.
9. method according to claim 6 is characterized in that, also comprises:
After breaking off in being connected of said terminal and said wlan network; Said CPE through said CAPWAP tunnel to the said AC that sets up the tunnel send go related Disassociation message, said Disassociation message be used to make the said AC that sets up the tunnel remove with said CPE between set up be directed against the related of said terminal;
Said CPE receives said AC through configuration information said CAPWAP tunnel transmission and deletion terminal message element said Disassociation message corresponding response message and said AC transmission, according to the configuration information deletion information relevant with said terminal of said deletion terminal message element.
10. a ustomer premises access equipment is characterized in that, comprising:
Transmitting element is used for the IP address according to each access controller AC of the server of WLAN wlan network, sends the request of discovery to said each AC;
Receiving element is used for receiving the discovery response corresponding with said discovery request that the arbitrary AC of said each AC returns;
Set up the unit, be used for after said receiving element receives the discovery response corresponding with said discovery request that the arbitrary AC of said each AC returns, set up the control and the configuration CAPWAP tunnel of WAP with said arbitrary AC;
Access unit, said wlan network is inserted at the terminal that is used for will connecting through said CAPWAP tunnel ustomer premises access equipment, and makes the server of said wlan network carry out authentication through said CAPWAP tunnel to the terminal of inserting said wlan network.
11. ustomer premises access equipment according to claim 10 is characterized in that,
Said transmitting element; Also be used for when the discovery response corresponding that said receiving element does not receive that the one or more AC of said each AC return with said discovery request; After the preset time of interval, send the request of discovery to the said AC that finds response that do not return again.
12. ustomer premises access equipment according to claim 10 is characterized in that, also comprises:
Address acquisition unit is used for obtaining from Long-Term Evolution packet-based core networks LTE-EPC grouping of network data network PDN Gateway the IP address of each AC the server of wlan network, and said LTE-EPC network is the network that links to each other with said wlan network; Perhaps
Be used for obtaining the domain-name information of each AC the server of wlan network from the PDN Gateway of LTE-EPC network; Send the domain name mapping request of the domain-name information that comprises said each AC to the domain name system DNS of said LTE-EPC network according to the domain-name information of said each AC; And receiving the IP address list that said DNS returns according to the domain name analysis request, said IP address list comprises the IP address of said each AC.
13. according to the arbitrary described ustomer premises access equipment of claim 10 to 12, it is characterized in that,
Said receiving element also is used to receive the wireless access point AP version information that the said AC that sets up the tunnel sends based on said CAPWAP tunnel;
Said transmitting element; When the version information of the AP that AP version information that also is used for receiving at said receiving element and said ustomer premises access equipment are provided with is inconsistent; Initiate the request of the version information of the said AP of renewal to said AC, so that the said AC that sets up the tunnel upgrades the version of said AP.
14. ustomer premises access equipment according to claim 10 is characterized in that, said access unit specifically comprises:
Dispatch Unit; Be used to receive DynamicHost protocol discovery DHCP Discovery message is set; And said DHCP Discovery message is sent to the said AC that sets up the tunnel through said CAPWAP tunnel; Said DHCP Discovery message is to be sent by the terminal that connects said ustomer premises access equipment, is used for request and inserts said wlan network, and said DHCP Discovery message comprises the medium access control MAC information at said terminal;
The message sink unit; Be used to receive the said AC that sets up the tunnel through the DHCP offer message corresponding that said CAPWAP tunnel sends, carry the IP address corresponding that the said AC that sets up the tunnel distributes in the said DHCP offer message with said MAC information with said DHCP Discovery message;
Message sending unit is used for said DHCP offer forwards to said terminal, so that said wlan network is inserted based on the said AC IP address allocated of setting up the tunnel in said terminal.
15. ustomer premises access equipment according to claim 14 is characterized in that, said access unit also comprises:
The association messages transmitting element; Be used for obtaining the MAC information at said terminal from the DHCPDiscovery message that send at the terminal that connects said ustomer premises access equipment; And send related Association message to the said AC that sets up the tunnel through said CAPWAP tunnel, comprise the MAC information at said terminal in the said Association message;
Associative cell; Be used for after receiving the Association response message corresponding that the said AC that sets up the tunnel returns through said CAPWAP tunnel, be directed against the related of said terminal with said AC foundation of setting up the tunnel according to the MAC information at said terminal with said Association message.
16. according to claim 14 or 15 described ustomer premises access equipments, it is characterized in that,
Said Dispatch Unit; Also be used for when a plurality of DHCP Discovery message that comprises identical MAC information that receives that the terminal that connects said ustomer premises access equipment sends; Any DHCP Discovery message in said a plurality of DHCP Discovery message is sent to the said AC that sets up the tunnel through said CAPWAP tunnel, and abandons other message in said a plurality of DHCP Discovery message.
17. according to claim 14 or 15 described ustomer premises access equipments, it is characterized in that,
Said Dispatch Unit; Also be used in pre-configured detection time, receiving a plurality of DHCP Discovery message when arbitrary port of said ustomer premises access equipment; And the MAC information that each DHCP Discovery message comprises in said a plurality of DHCP Discovery message is not simultaneously, abandons said a plurality of DHCP Discovery message.
18. ustomer premises access equipment according to claim 15 is characterized in that, also comprises:
The related unit of removing; After being used for breaking off in being connected of said terminal and said wlan network; Through said CAPWAP tunnel to the said AC that sets up the tunnel send go related Disassociation message, said Disassociation message be used to make the said AC that sets up the tunnel remove with said CPE between set up be directed against the related of said terminal;
Be used to receive said AC through configuration information said CAPWAP tunnel transmission and deletion terminal message element said Disassociation message corresponding response message and said AC transmission, according to the configuration information deletion information relevant of said deletion terminal message element with said terminal.
CN201210018120.5A 2012-01-19 2012-01-19 Method and customer premise equipment (CPE) for terminal access authentication Active CN102572830B (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN201210018120.5A CN102572830B (en) 2012-01-19 2012-01-19 Method and customer premise equipment (CPE) for terminal access authentication
PCT/CN2012/075783 WO2013107136A1 (en) 2012-01-19 2012-05-19 Terminal access authentication method and customer premise equipment
RU2013106254/08A RU2556468C2 (en) 2012-01-19 2012-05-19 Terminal access authentication method and customer premise equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210018120.5A CN102572830B (en) 2012-01-19 2012-01-19 Method and customer premise equipment (CPE) for terminal access authentication

Publications (2)

Publication Number Publication Date
CN102572830A true CN102572830A (en) 2012-07-11
CN102572830B CN102572830B (en) 2015-07-08

Family

ID=46417038

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210018120.5A Active CN102572830B (en) 2012-01-19 2012-01-19 Method and customer premise equipment (CPE) for terminal access authentication

Country Status (3)

Country Link
CN (1) CN102572830B (en)
RU (1) RU2556468C2 (en)
WO (1) WO2013107136A1 (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103346919A (en) * 2013-07-19 2013-10-09 北京傲天动联技术股份有限公司 Method and system for uniformly managing wireless terminals to access CPE of equipment
CN103532842A (en) * 2013-10-14 2014-01-22 广州供电局有限公司 High-reliability LTE (long term evolution) transmission system for power distribution network
WO2014019389A1 (en) * 2012-07-31 2014-02-06 华为技术有限公司 Data transmission method and network side device
CN103648124A (en) * 2013-12-18 2014-03-19 南京智微亚通信科技有限公司 Wireless client terminal access management control method
CN103929726A (en) * 2013-01-14 2014-07-16 中兴通讯股份有限公司 Relevant method and system for access control in wireless local area network (WLAN) and fixed network interaction
CN104283858A (en) * 2013-07-09 2015-01-14 华为技术有限公司 Method, device and system for controlling user terminal access
CN105101195A (en) * 2014-04-30 2015-11-25 华为技术有限公司 Network access control method and network access device
CN105791267A (en) * 2016-01-14 2016-07-20 李小林 New wireless WIFI networking identity identification and authentication method
CN105991786A (en) * 2015-02-15 2016-10-05 中国移动通信集团江苏有限公司 Wi-Fi access configuration method, Wi-Fi terminal and access equipment
CN106131066A (en) * 2016-08-26 2016-11-16 杭州华三通信技术有限公司 A kind of authentication method and device
CN106789534A (en) * 2016-12-27 2017-05-31 京信通信技术(广州)有限公司 A kind of data transmission method and device based on wireless network
CN107071082A (en) * 2017-03-22 2017-08-18 上海斐讯数据通信技术有限公司 The acquisition methods and system of a kind of IP address of access control equipment
CN107454090A (en) * 2017-08-17 2017-12-08 京信通信系统(中国)有限公司 Cable data identification authentication method and system
CN109391940A (en) * 2017-08-02 2019-02-26 华为技术有限公司 A kind of method, equipment and system accessing network
CN110582085A (en) * 2018-06-11 2019-12-17 成都鼎桥通信技术有限公司 communication method, device and system
CN113473493A (en) * 2020-03-31 2021-10-01 华为技术有限公司 Communication method and device
CN114500094A (en) * 2022-02-24 2022-05-13 新华三技术有限公司合肥分公司 Access method and device

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104427499B (en) * 2013-09-11 2018-11-13 中国电信股份有限公司 Access authentication of WLAN method and system based on WWW
CN104410980B (en) * 2014-11-06 2018-04-17 福建三元达科技有限公司 A kind of user information management method and system based on thin AP
WO2016155942A1 (en) * 2015-03-30 2016-10-06 British Telecommunications Public Limited Company Communications network
CN105120505B (en) * 2015-07-28 2019-04-16 小米科技有限责任公司 The method, apparatus and system of smart machine couple in router
RU180801U1 (en) * 2018-03-07 2018-06-22 Общество с ограниченной ответственностью "БУЛАТ" Subscriber network device with virtualized network functions
CN110392359A (en) * 2018-04-17 2019-10-29 江苏必得科技股份有限公司 Vehicle ground LTE communication system for the transmission of train part damage data
RU186109U1 (en) * 2018-10-31 2019-01-09 Общество с ограниченной ответственностью "БУЛАТ" Subscriber network device with virtualized network functions
RU190103U1 (en) * 2018-11-28 2019-06-18 Общество с ограниченной ответственностью "БУЛАТ" Ethernet switch
RU190237U1 (en) * 2018-12-12 2019-06-24 Общество с ограниченной ответственностью "БУЛАТ" Subscriber Network Device with Virtualized Network Functions
CN112671829B (en) * 2020-11-26 2022-07-12 新华三技术有限公司 Equipment online method and device
CN114115940B (en) * 2021-11-11 2024-04-12 新华三大数据技术有限公司 Version upgrading method and device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101217440A (en) * 2008-01-15 2008-07-09 杭州华三通信技术有限公司 An access method and access device of AP to AC in wireless LAN
CN101578828A (en) * 2007-08-24 2009-11-11 华为技术有限公司 Roaming Wi-Fi access in fixed network architectures

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101340340B (en) * 2007-07-31 2012-07-11 杭州华三通信技术有限公司 Access point configuring management method and access controller
WO2010145882A1 (en) * 2009-06-18 2010-12-23 Venatech Ab An access point, a server and a system for distributing an unlimited number of virtual ieee 802.11 wireless networks through a heterogeneous infrastructure

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101578828A (en) * 2007-08-24 2009-11-11 华为技术有限公司 Roaming Wi-Fi access in fixed network architectures
CN101217440A (en) * 2008-01-15 2008-07-09 杭州华三通信技术有限公司 An access method and access device of AP to AC in wireless LAN

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014019389A1 (en) * 2012-07-31 2014-02-06 华为技术有限公司 Data transmission method and network side device
CN103929726A (en) * 2013-01-14 2014-07-16 中兴通讯股份有限公司 Relevant method and system for access control in wireless local area network (WLAN) and fixed network interaction
CN103929726B (en) * 2013-01-14 2019-06-14 中兴通讯股份有限公司 Wireless LAN accesses control correlation technique and system in interacting with fixed network
US9825950B2 (en) 2013-07-09 2017-11-21 Huawei Technologies Co., Ltd. Method, apparatus, and system for controlling access of user terminal
CN104283858A (en) * 2013-07-09 2015-01-14 华为技术有限公司 Method, device and system for controlling user terminal access
CN104283858B (en) * 2013-07-09 2018-02-13 华为技术有限公司 Control the method, apparatus and system of user terminal access
CN103346919A (en) * 2013-07-19 2013-10-09 北京傲天动联技术股份有限公司 Method and system for uniformly managing wireless terminals to access CPE of equipment
CN103532842A (en) * 2013-10-14 2014-01-22 广州供电局有限公司 High-reliability LTE (long term evolution) transmission system for power distribution network
CN103648124A (en) * 2013-12-18 2014-03-19 南京智微亚通信科技有限公司 Wireless client terminal access management control method
CN105101195A (en) * 2014-04-30 2015-11-25 华为技术有限公司 Network access control method and network access device
CN105101195B (en) * 2014-04-30 2018-11-30 华为技术有限公司 The control method and device of network admittance
CN105991786A (en) * 2015-02-15 2016-10-05 中国移动通信集团江苏有限公司 Wi-Fi access configuration method, Wi-Fi terminal and access equipment
CN105791267A (en) * 2016-01-14 2016-07-20 李小林 New wireless WIFI networking identity identification and authentication method
CN106131066B (en) * 2016-08-26 2019-09-17 新华三技术有限公司 A kind of authentication method and device
CN106131066A (en) * 2016-08-26 2016-11-16 杭州华三通信技术有限公司 A kind of authentication method and device
CN106789534A (en) * 2016-12-27 2017-05-31 京信通信技术(广州)有限公司 A kind of data transmission method and device based on wireless network
CN106789534B (en) * 2016-12-27 2019-09-17 京信通信系统(中国)有限公司 A kind of data transmission method and device based on wireless network
CN107071082A (en) * 2017-03-22 2017-08-18 上海斐讯数据通信技术有限公司 The acquisition methods and system of a kind of IP address of access control equipment
US11197238B2 (en) 2017-08-02 2021-12-07 Huawei Technologies Co., Ltd. Network access method, device, and system
CN109391940A (en) * 2017-08-02 2019-02-26 华为技术有限公司 A kind of method, equipment and system accessing network
CN107454090A (en) * 2017-08-17 2017-12-08 京信通信系统(中国)有限公司 Cable data identification authentication method and system
CN110582085A (en) * 2018-06-11 2019-12-17 成都鼎桥通信技术有限公司 communication method, device and system
CN110582085B (en) * 2018-06-11 2022-12-16 成都鼎桥通信技术有限公司 Communication method, device and system
CN113473493A (en) * 2020-03-31 2021-10-01 华为技术有限公司 Communication method and device
CN113473493B (en) * 2020-03-31 2023-06-30 华为技术有限公司 Communication method and device
CN114500094A (en) * 2022-02-24 2022-05-13 新华三技术有限公司合肥分公司 Access method and device
CN114500094B (en) * 2022-02-24 2024-03-12 新华三技术有限公司合肥分公司 Access method and device

Also Published As

Publication number Publication date
CN102572830B (en) 2015-07-08
RU2013106254A (en) 2014-08-20
RU2556468C2 (en) 2015-07-10
WO2013107136A1 (en) 2013-07-25

Similar Documents

Publication Publication Date Title
CN102572830B (en) Method and customer premise equipment (CPE) for terminal access authentication
CN102843682B (en) Access point authorizing method, device and system
US9967738B2 (en) Methods and arrangements for enabling data transmission between a mobile device and a static destination address
US10432632B2 (en) Method for establishing network connection, gateway, and terminal
EP2950499B1 (en) 802.1x access session keepalive method, device, and system
US20080095086A1 (en) Method of deploying an access point for an ip-based wireless network
JP5982690B2 (en) Network convergence method, device, and communication system
CN103095654B (en) Virtual local area network (VLAN) configuration method, wireless access point and network control point
CN101645814B (en) Method, equipment and system for accessing access point to mobile core network
CN104144463A (en) Wi-fi network access method and system
CN112135293B (en) Method for accessing mobile core network through fixed access equipment
KR101426721B1 (en) Method and equipment for authenticating subscriber terminal
CN103297968A (en) Wireless terminal identifying method, wireless terminal identifying device and wireless terminal identifying system
CN105307152A (en) Multitasking SIM/USIM management method and system
CN101621433B (en) Method, device and system for configuring access equipment
CN103702312A (en) Wireless information transmission method and equipment
CN101068439B (en) Communicating method, mobile terminal, insertion point equipment and communication system
CN103384365A (en) Method and system for network access, method for processing business and equipment
CN101656964B (en) The implementation method of Wi-Fi metropolitan area network and home gateway
CN101499993B (en) Authentication method, equipment and system
CN103843445B (en) The method and apparatus for accessing network
CN106341374B (en) Method and device for limiting access of unlicensed user equipment to home gateway
CN101515881A (en) Method, device and system for transmitting initial configuration information of access point equipment
CN103281693A (en) Wireless communication authentication method, network translation equipment and terminal
CN117119463A (en) CPE security authentication method and system for 5G private network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant